I'm quite experienced with VLANs, switches, routing and iptables.
However I have some trouble assigning a SSID to a specific VLAN on OpenWRT. I use CPE210 and today is my first day with OpenWRT.
So I've created an interface "TEST" in VLAN19 and assigned it to "LAN" on Firewall-Tab.
VLAN19 fully works with TP-Link stock firmware on this switchport. The switchport ist configured to be without VLAN-Tag in normal LAN and allows vlan 19 tagged.
For testing purposes I had also selected DHCP-Client on eht0.19 and I got an IP-Adress in VLAN19. I also could do a curl --interface eth0.19 ifconfig.me and got the outbound IP-Adress of VLAN19.
In wireless I configured (see Post2, as new User I'm only allowed to Post one picture per Post)
However my smartphone, doesn't get a connection.
You can see it even in the Associated Stations for a short time before it tells, that it can't connect (see Post3, as new User I'm only allowed to Post one picture per Post)
As soon as I select "lan" instead as "Test" of network, smartphone connects, but is in wrong LAN, of course.
Is there some firewall issue I forgot to configure or what is missing here to get the SSID to VLAN19?
Test interface doesn't have any protocol, or is unmanaged. Therefore it doesn't matter if it is assigned to a zone or not, as it is not routing anything.
Also it seems that you are on version 21.02 which is using the DSA and is slightly different in configuration.
Thanks for confirmation, that is the expected behaviour.
Thanks for the link. That helps a lot, especially finding VLAN settings in Network -> Can you assist me with configuration? I don't get it to work.
So without enabling VLANs everything works fine, so primary LAN is untagged.
VLAN19 is available at the switchport when tagged.
No matter what configurations I've tried, I had no access anymore and things were reverted back after 90 seconds to gain access again.
So in the screenshot VLAN ID 1 is set to "do not participate". When setting VLAN-ID 1 to "egress untagged" and checking "primary vlan-id" it won't work, also when omitting check "primary vlan-id". When only setting up VLAN19 and as tagged, there is also no connection, also when leaving "local" unchecked.
Sorry with bridging I have almost no experience so far. Probably it is just one little configuration I'm missing.
lan interface should be assigned to vlan1 since you are going to use it for management of the device. So I presume you'll make the eth0 port untagged and pvid 1. For vlan19 it can remain tagged as it is. Furthermore the lan interface will have to use the br-lan.1 device.
There is actually a better example for single port devices.
Thanks. The linked article explains it for CPE210. So my interfaces are configured correctly.
Currently the bridge between vlan19 and the TestOPN SSID is missing.
How can that be configured via Webinterface? I mean in stock firmware it is just entering VLAN-ID 19 and SSID is in VLAN-19, so it should work.
This suits more, because I have no VLAN-ID 1. Network port is untagged for main network, so first line in screenshot where VLAN ID is empty and "100FD" is correct, because to access network there is no VLAN awareness.
When adding VLAN-19 Tag than guest network is accessible. But still when applying this configuration network connectivity is lost.
I can add a new bridge device but there is no option to bridge to the Wifi interface as you can see in the screenshot. See next post, still counting as new user and can't post two images in one post.
I think you need to configure the switch since the ath79 target is still swconfig. (in swconfig you use the Network-Switch page to directly control the hardware switch; bridge-vlans are DSA oriented). Each VLAN needs an entry in the switch to bring it from the eth port to the external port. Also the 10/100 SoCs don't directly support VLAN numbers over 16-- it requires CLI configuration of separate option vlan and option vid.
Avoid running tagged and untagged on the same cable. When running a trunk between two VLAN-aware devices, tag all packets. This means you should convert the lan network to VLAN 1 or some other VLAN number, conventionally 1 is the privileged network used for administration.
I'm not sure how that worked at all since an unmanaged interface has no IP address in the kernel, so there is no way for it to originate layer 3 traffic from the router OS. The 'Test' bridge is going to be a passive layer 2 conversion of wifi to wired. The device at the other end of the Ethernet cable needs to handle DHCP and all layer 3 actions.
Taking in consideration the existing lan interface, I'd try this one:
I've already tried without success, see
I think you need to configure the switch since the ath79 target is still swconfig. (in swconfig you use the Network-Switch page to directly control the hardware switch; bridge-vlans are DSA oriented). Each VLAN needs an entry in the switch to bring it from the eth port to the external port. Also the 10/100 SoCs don't directly support VLAN numbers over 16-- it requires CLI configuration of separate option vlan and option vid.
Can you explain that a bit more? With stock firmware, I just enter VLAN19 at the SSID setting and SSID is in VLAN. I find it strange that this seems to hard to setup in OpenWRT.
Avoid running tagged and untagged on the same cable.
It is historically grown. Network was completely without VLAN. Then TP-Link APs with stock firmware were added and another VLAN was added as guest network. Works very well.
I'm not sure how that worked at all since an unmanaged interface has no IP address in the kernel, so there is no way for it to originate layer 3 traffic from the router OS. The 'Test' bridge is going to be a passive layer 2 conversion of wifi to wired. The device at the other end of the Ethernet cable needs to handle DHCP and all layer 3 actions.
See:
For testing purposes I had also selected DHCP-Client on eht0.19 and I got an IP-Adress in VLAN19. I also could do a curl --interface eth0.19 ifconfig.me and got the outbound IP-Adress of VLAN19.
But now interface is removed again, because from VLAN19 should be no possibility to access any device in the network (except firewall/router, see below).
There is another Linux machine attached to the same ethernet configuration, so without VLAN normal network and an eth0.19 interace where DHCP and routing with seletected firewall rules is running. So OpenWRT should be a stupid AP, just connect eth0.19 with TestOPN Wireless network in this case.
You need to make a bridge containing eth0.19, maybe call it br-vlan19.
config device
option name 'br-vlan19'
option type 'bridge'
list ports 'eth0.19'
And a network with proto none to claim this bridge. That really doesn't do anything but if you don't have this section the bridge doesn't get set up at all.
config interface 'vlan19'
option device 'br-vlan19'
option proto 'none'
For testing you can set the interface as DHCP client proto dhcp instead and have a local IP.
Then since there is a network called 'vlan19' use option network 'vlan19' in /etc/config/wireless to attach your AP to the bridge. A bridge takes over the interfaces within it, you wouldn't reference 'eth0.19' directly except in the bridge device creation.
brctl show should show the br-vlan19 bridge and the ports within it.
To get this done via LuCI without editing config files with VLAN19 example:
Add vlan19 device
Go to Network --> Interfaces --> Tab Interfaces. Click "Add new interface"
Type eth0.19 and hit enter, then click "Create interface" and then "Save and apply". BTW: eth0.19 is only a common convention for establishing a VLAN with id 19. eth0.19 could also access vlan id 42, see https://wiki.archlinux.org/title/VLAN#Create_the_VLAN_device
So OpenWRT just interprets eth0.19 as ip link add link eth0 name eth0.19 type vlan id 19
Now go to tab device and click "Add device configuration"
Select "Bridge Device" as device type, give a name like "br-vlan19" and bridge port eth0.19, click Save and then "Save and Apply"
Did you already check if this is a pfsense issue or a OpenWRT issue? So did you connect a PC to pfSense to the port where Archer C7v2 is and set in Ethernet Controller VLAN115?
If there is no IP from Guests network, then error is on pfSense.
I am not sure I understand what you call stale entries.
While @VLANMaster had only VLAN19, I want to have two VLANS, one for private users and another one for guests. Those 2 entries highlighted in blue are different bridges.